Dear dnsop working group, On Thu, 05 Nov 2015 17:20:18 -0800 IETF Secretariat <[email protected]> wrote:
> The DNSOP WG has placed draft-ogud-dnsop-maintain-ds in state > Candidate for WG Adoption (entered by Tim Wicinski) > > The document is available at > https://datatracker.ietf.org/doc/draft-ogud-dnsop-maintain-ds/ First, I definitely think that this should be a working group document. Second, some comments about the draft (with the hope that it does get adopted): * I think "all 0" CDS/CDNSKEY indicating desire for deletion is fine. Defining a DNSKEY algorithm that does not actually define a DNSKEY algorithm is a bit weird. * Perhaps a paragraph clarifying behavior when there is the "all 0" CDS/CDNSKEY AND another CDS/CDNSKEY record is a good idea? Something like: If any other CDS/CDNSKEY record is present in a zone, then the CDS/CDNSKEY records indicating deletion MUST be ignored. * The acceptance criteria for new CDS records seem less like a protocol definition and more like an exploration of possible approaches. Probably this is because that is what they are? :P Does it make sense to define more detail? I kind of think "yes", but since there is no deployment experience it's likely that it would all be incorrect. * I don't see much motivation for "Acceptance policy via authenticated channel". It seems like if you have access to such a channel you may as well just provide the DS record? Or is the idea that you make it so that the administrator for a zone doesn't need to cut/paste DS information but can just check a "delegate this" box? * Perhaps "Accept with challenge" should provide some advice on how this works. For example, a TXT record with a unique key for each zone (or customer) seems like a good recommendation. It might also make sense if each child domain (or customer) has a unique ownername to look for, to prevent 3rd parties from detecting such bootstrapping. (Yes a 3rd party can see the CDS update followed by the DS update, but they won't know the verification used.) Also to note that after the trust is established that the challenge record should no longer be necessary and can be removed. Sayōnara! -- Shane _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
